Patients affected by a data security incident at LifeBridge Health in March 2018 have filed a lawsuit against the facility.

LifeBridge Health, a nonprofit healthcare corporation in Baltimore, Maryland, discovered that malware had infected one of their servers in March 2018. The servers hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. Access to the server was quickly terminated, and an investigation was launched into the breach.

An investigation discovered that the sensitive information of approximately 530,000 patients was compromised during the breach. The information included patients’ names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of Social Security numbers. Security experts discovered that although the breach hadn’t been detected until March 2018, the malware had been installed on the system 18 months prior, in September 2016.

Following the breach, patients were offered credit monitoring and identity theft protection services free of charge. LifeBridge Health stated that it had taken steps to “enhanced the complexity of its password requirements and the security of its system” following the breach. It has yet to be determined if any patients suffered financial losses due to the breach.

Patients who had their data compromised in the breach contacted the law firm Murphy, Falcon & Murphy to file a lawsuit against LifeBridge Health. The lawsuit alleged that the malware was installed as a result of “LifeBridge’s failure to ensure the integrity of its servers and to properly safeguard patients’ highly sensitive and confidential information.”

In the lawsuit, the plaintiffs claim that the breach was the result of “a serious lack of judgement and oversight” on the part of LifeBridge Health for failing to implement appropriate safeguards to protect patients’ personally identifiable information (PII) and protected health information (PHI), and thus did not take their responsibilities under HIPAA seriously. By failing to implement an adequate security framework, hackers were allowed to “freely roam its systems” for 18 months before the breach was discovered.

The lawsuit claims the breach exposed patients to serious harm and that the conduct of LifeBridge Health violated many privacy protection statutes in Maryland, including the Maryland Personal Information Protection Act, the Maryland Social Security Number Privacy Act, and the Maryland Consumer Protection Act.

“This data breach has compromised every aspect of these patients’ personal identities and has subjected them to significant harm,” said Hassan Murphy, Managing Partner at Murphy, Falcon & Murphy.

Two patients who were named in the lawsuit, Jahima Scott and Darlene Johnson, claim their identities were stolen and they became victims of credit card fraud shortly after the breach occurred. The plaintiffs are seeking damages in excess of $30,000.

Healthcare facilities are potentially lucrative targets for cybercrinimals due to the high black-market value of healthcare data. As many hospitals and clinics face tight budget restrictions, their cybersecurity infrastructure is often lacking. This can have disastrous effects on the security of patient information, as seen in the case of LifeBridge Health. If organisations do not have adequate technical, administrative, and physical safeguards in place to protect PHI-as required by HIPAA’s Security Rule-it is likely that they will face lawsuits by those affected most by security breaches. Healthcare organisations will also suffer repetitional damage, and penalties levied against them depending on the severity of the HIPAA violation.